Compliance at Small Companies
Earlier this week I had the privilege of speaking to a law school class about corporate compliance programs, and specifically about how compliance officers at small companies can succeed in the job when they typically have precious few resources to do it. That’s a terrific subject to explore, so let me recap some of my points here today.
We first talked about program assessments — that is, assessing the strengths and weaknesses of your compliance program, and developing a plan to make your program stronger and more useful to your company. How can you do that when you might be the sole compliance employee at your company, which itself might be a small business that might not see much need for a robust compliance program?
For starters, align your program assessment plans with the company’s business objectives. Otherwise you’re assessing your compliance program in isolation from what the business is doing, which is how you end up with senior management saying, “Ugh, compliance is nothing but a cost center” and then cutting your budget.
For example, say you’re at a high-growth startup that wants to expand to international markets. That’s great, but global expansion will bring your business into contact with more foreign jurisdictions, each one with their own laws for corruption, data privacy, consumer protection, and so forth. So you might want to devote your time to assessing your compliance program’s capabilities for regulatory change management (“How can we track overseas regulations and their applicability to us?”) and policy management (“How can we assure that our policies and procedures match regulatory requirements?”).
Or maybe you’re a startup broker-dealer firm looking to drum up more business. Management decides it wants to move from a dedicated sales team to a network of independent sales agents, who access customer leads via an online portal. In that case, you want to assess your program’s ability to handle data privacy, cybersecurity, and identity theft regulations — say, how well you can map multiple regulatory obligations (from FINRA, the Securities and Exchange Commission, and state regulators) to existing firm policies, procedures, and controls, to keep your compliance apparatus as streamlined as possible.
In both cases, you’re tying your compliance program to the company’s business objectives first, so you can help the company achieve its objectives in a more risk-aware manner. That’s how you win support from senior management and the rest of the enterprise, and how you demonstrate to auditors or regulators that, yes, you’ve put some thought into why your program works the way it does.
Are Risks More or Less Complicated?
We also spent time debating how risks at a smaller company differ from those at large ones. Shouldn’t your risk assessment be easier for a smaller operation?
Well, yes and no. Certainly small businesses tend to have fewer regulatory compliance obligations, because you’re a smaller organization doing fewer things. You might not have international operations that bump up against new jurisdictions and their attendant rules. You might not meet revenue thresholds that trigger new privacy obligations or human-trafficking disclosures.
On the other hand, smaller companies also tend to have weaker internal control systems, so there’s a greater chance that something could go wrong. You might not have the best IT system, monitoring unwanted intruders trying to access your data center. You might have poor segregation of duties in the accounting department, which increases fraud risk. Above all, you’re more likely to work under a strong CEO with broad power to override the internal controls and policies you have.
We spent a lot of time talking about “CEO risk.” Of course lots of large companies have strong CEOs too, but large companies are more likely to have sophisticated controls and documentation processes that make management override decisions stick out like a sore thumb. Smaller companies are far more at risk of a CEO saying, “OK, I see your point on this issue, but we’re going to let it slide anyway.” Then you’re on a slippery slope to governance by CEO whim rather than thoughtful business practices.
In other words, corporate culture can actually matter more at a small company, because you have fewer of the structures and mechanisms that large companies do (written policies, hard-coded IT processes, disclosure obligations) to force those companies to behave in certain ways.
Your ability to debate that threat to the CEO, investors, board directors, and other senior managers — diplomatically, before any specific crisis, framing the discussion as “we’re all on the same side of wanting the business to prosper” — is crucial for your career success.
Career Success at Small Companies
Lastly, we debated another important question. Given the challenges of working as a compliance officer at a small business — with few resources, so much to do, and so much depending on personal relationships with others at the company — should compliance officers even want a job like that? Isn’t it a crazy career risk?
Sure, it can be. But let’s consider a few ways that compliance professionals can think through those risks and the corresponding rewards.
First, running compliance at a small organization can bring invaluable career experience for later in life. You might get to build your company’s first compliance program, deciding how to take the results of that risk assessment and translate it into real policies, real IT systems, and real results. You might get to build your own team as the company prospers.
Even if you subsequently move to a larger company with a pre-existing compliance program, experience in building a program, or taking it from “immature” to “robust” will be valuable. Lots of large companies launch new ventures where they encounter new risks, and that’s when knowing how to build a compliance program response to new risks will matter.
That said, working at a small company is fraught with peril. Even if the company is financially stable (sometimes a big if), you have other career variables you need to evaluate carefully.
For example, who is your boss, and how does that person fit into the company? Most compliance officers at small businesses will report to the general counsel. How does that person view the compliance function? Even if the GC supports a strong and robust compliance function, is that person likely to endure at the company a long while? I can’t count the number of times I’ve heard of a compliance professional joining a company, excited to work for a great boss — and six or nine months later, that person leaves, and a new GC arrives who reorgs the whole place and lays you off.
Perhaps another way to say it is that office politics can be simpler at small companies, but also more random. If you have a solid management team with a clear plan, that’s fine; but if you don’t, that random chance could send your career reeling much more quickly than what you might encounter at a larger company.